cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2226
Views
25
Helpful
10
Replies

Measuring TACACS+ performance.

Sergey Polski
Level 1
Level 1

Hello,

 

One of my customers have 2 node cluster (version 2.4) running on Vmware with which he had issue where logs were shown in delay of 12 hours. TAC recommended to apply latest patch, that resolved the issue. When I asked them how can we measure TACACS+ performance, they told me to look at reports, but I haven't found anything related TACACS TPS.

Right now this customer have around 400 devices in his network and he expect a significant growth and exise, performance, tacacspect to have 2000 devices by end of 2023.

My question is how TACACS+ performance can be measured on existing cluster? Currently it's 2 node VMs with 16vCPU and 32G RAM with VM Medium license. There is no load balancer in front of the VMs, so first VM is taking most of the load in terms of TACACS requests.

In addition to that customer has some Security systems that log in to all devices every few minutes and run various command, like "show ip arp", "show ip route", etc, so the load will be increased by the end of 2023.

 

Thanks

2 Accepted Solutions

Accepted Solutions

thomas
Cisco Employee
Cisco Employee

By performance, it sounds like you want summary statistics for total number of authentication over certain time periods. 

Operations > Reports > Reports > Device Administration > Authentication Summary gives you these breakdowns:

  • TACACS Authentication Summary
  • Authentications By Day and Quick Links
  • Authentications By Device Groups
  • Authentications By Device Name
  • Authentications By Device Type
  • Authentications By Failure Reason
  • Authentications By Identity Store
  • Authentications By Location
  • Chart: Passed Authentications By Day

View solution in original post

Yes there is a "TACACS Authorization" section under Reports > Device Administration.

View solution in original post

10 Replies 10

balaji.bandi
Hall of Fame
Hall of Fame

First i would like to check is your requirement changed :

 

https://www.cisco.com/c/en/us/td/docs/security/ise/performance_and_scalability/b_ise_perf_and_scale.html

 

You can look some perfomance report :

 

https://ciscocustomer.lookbookhq.com/iseguidedjourney/ISE-troubleshooting

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

In both links I couldn't find where I see TACACS TPS for authorization and authentication.

Guide in first link (that I also mentioned in my question) under TACACS+ Performance section talks about transaction per seconds for different scenarios.

My qiestion is where I can these measurements on existing cluster?

The first one give you how your design get maximum TPS - second one you can caculate based on the information you have.

If you configure the stats you get report :

 

follow below thread : (Hope that help to get information you looking)

https://community.cisco.com/t5/network-access-control/cisco-ise-authentication-per-second/td-p/3391705

https://community.cisco.com/t5/network-access-control/ise-key-performance-metrics-units/m-p/3477660?start=0&tstart=0

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

thomas
Cisco Employee
Cisco Employee

By performance, it sounds like you want summary statistics for total number of authentication over certain time periods. 

Operations > Reports > Reports > Device Administration > Authentication Summary gives you these breakdowns:

  • TACACS Authentication Summary
  • Authentications By Day and Quick Links
  • Authentications By Device Groups
  • Authentications By Device Name
  • Authentications By Device Type
  • Authentications By Failure Reason
  • Authentications By Identity Store
  • Authentications By Location
  • Chart: Passed Authentications By Day

Thanks Thomas.

 

It looks like a possible solution, but only for authentication. In the report I can see that this system handle 250K authorization requests for 24 hours, which is nothing even for Small sized VM.

Is there a similar report for authorization? I assume that ISE gets much more authorization request since we authorize every command that user or some kind of automatic system execute.

 

Thanks

Yes there is a "TACACS Authorization" section under Reports > Device Administration.

I am looking for statistics, not logs. Logs I can see in TACACS Live logs.

"There is no load balancer in front of the VMs, so first VM is taking most of the load in terms of TACACS requests."

You can configure the first 200 devices to point to the first TACACS server as the primary and the 2nd TACACS server as secondary.  The last 200 devices to point to the secondary TACACS server as the primary and the primary TACACS server as secondary.  That will distribute the load among them.

Peter Koltl
Level 7
Level 7

Authentication Summary report shows the authC number for each day. You can export the authZ reports to CSV and calculate the authZ quantity per day.

If the PSN CPU usage is below 10%, you don't have to worry.

If you have no alarms like this, you don't have to worry. In fact, you can tune the threshold values to lower and see when the alarms occur.

PeterKoltl_0-1657612509645.jpeg